Deep packet inspection (DPI) is a technique of a network packet filtering that examines the payload and in some cases header of a packet, when the packet reaches an inspection module. The DPI technique has many applications including, for example, advanced network management services, security (e.g., malware and spam detection), data mining, eavesdropping, censorship, and the like. The packet inspection can be performed from Layer 2 through Layer 7 of the open system interconnection model (OSI) model. This includes inspection of one or more of headers, data protocol structures, and payload of the message. The layer or layers and the content within a packet being inspected depend on the application. As an example, for a data mining or eavesdropping application, the DPI may include searching for keywords in packets carrying layer 7 protocols' data. Examples for such protocols include hypertext transfer protocol (HTT), simple mail transfer protocol, instant-messaging protocols, and the like.
In conventional communication systems, the packets, filtering, classification, and inspection is performed by DPI systems. In point-to-multipoint networks, DPI systems are typically deployed near to a central node (e.g., line terminal node, switchboard, data center, etc.) or as a proxy between user nodes and the central node. This requires the DPI system to receive all traffic flows between all user nodes and the central node, process the traffic, and relay the inspected traffic by the DPI system back to the network.
Examples for possible deployments of a DPI system are illustrated in FIG. 1 where a point-to-multipoint network 100 is shown. The system 100 includes M end-units 120-1 through 120-M (collectively end units 120) connected to a central unit 130 via a network 140. The network 140 facilitates the communication between the end-units 120 and the central unit 130. The network 140 may be realized as multiple optical connections between the end-units 120 and the central unit 130. Thus, exemplary network 100 may be a passive optical network (PON).
In the network 100, a DPI system 150 is connected to the central unit 130. The DPI system 150 taps traffic flows between the end-units 120 and the OLT 130 and processes such traffic, in real-time, for deep-pack inspection purposes, e.g., to identify information of interest to a user of the DPI system 150.
Regardless of the deployment of the DPI system, the operation of such system, specifically those designed for data mining, eavesdropping, and censorship applications, is intrusive. That is, a packet sent from an end-unit 120 is inspected by the DPI system 150. With this aim, the packet is first terminated by the central unit 130 and then mirrored to the DPI system 150. As a result, the communication latency between the central unit 130 and end-units 120 is significant.
Furthermore, the DPI system (e.g., system 150) should process all packets flowing from all end-units 120 to central node 130, thus the DPI system should handle vast amount of data. Thus, a conventional DPI system is typically a complex processing machine that should have powerful processing capabilities. Hence, conventional DPI systems are also costly.
Other techniques for tapping users' traffic include an Ethernet hub connected to an end-unit that replicates Ethernet frames. The duplicated Ethernet frames are forwarded to a DPI system for further processing. Such solutions replicate all Ethernet frames, thus still require utilizing DPI systems having powerful processing capabilities. Further, inspection of frames are limited to Layer 2 inspection, hence information encapsulated in higher layers cannot be evaluated.
Therefore, it would be highly advantageous to provide a DPI solution that overcomes the deficiencies noted above.